Professional Documents
Culture Documents
Cyber Security
Cyber Security
Cyber Security
awareness
PRACTICAL TRAINING
Targeted Email Phishing
By far the most common form of hacking into companies, and onto your computers, are targeted “phishing”
emails.
In a phishing attack, the hacker sends you an email that can either:
• Pretend to come from a financial or e-commerce website such as Ebay, Amazon or Paypal
• Pretend to come from people you trust like a friend, colleague, your bank, or a government agency
• Suggest that something bad will happen if you do not provide personal details right away
• Offer you a free prize or award
The emails will normally persuade you to open an attached file or click on a link to log into their fake“website,”
so you can change your password, view something, or provide details. Once you visit and log in, it’s Game Over.
They have your username and password, and can also drop malware onto your system if they want.
Many times, hackers will use details about you, such as your name, what you do, background and preferences
(things that don’t usually change over time), that they have stolen about you from a large breach e.g. Facebook
breach, so that they can try to entice you to click on a link in an email.
Hackers are hoping you’re being distracted at work/home because you’re multitasking.
So remember to pause before you click any link!
Remember: All it takes is 1 click of your mouse to give them full access to your system.
When you receive an unsolicited email, please pay attention to the following red flags:
“From”
• Notice the name in the “From” field, and don’t believe it 100% (The “From” field
can be spoofed / faked so pay attention). Always treat this field with suspicion!
• The email could look like it’s coming a friend, family, colleague, business contact, manager or CEO, when
it is actually from a scammer.
“To”
“Salutation”
“Content/Body”
Embedded Link
Now hover your mouse over the link, BUT DON’T CLICK THE LINK! You will now see the REAL final link destination!
It will be either as a popup message in your email client e.g. Outlook Or you can see it in the bottom left status bar
of your browser. This is where the link is actually taking you!
If the link in the email, and the link that pops up when you hover your mouse do NOT match, be VERY suspicious!
• Be aware of slight variations in the website spelling e.g. disney.com vs d1sney.com
• Also follow the address link in the email all the way to the first “/” (forward slash). The website domain
name you see before the “/” is the real, final link destination e.g. www.blah.com-blahblah.evil.com/...
• If the link has a shortened URL link address, that is also a red flag for unsolicited emails pretending to come
from reputable companies e.g. Google, or your bank - e.g. http://ow.ly/blahblah or http://bit.ly/blahblah.
Never respond to login/password reset requests sent via email that you did not initiate or expect!
• Treat any email that directs you to click on a link with caution
• Pay attention to the URL address of the website you are typing in. Malicious websites may use a variation
in spelling or a different domain e.g. “.com” vs “.net”
• If you have any concerns, you really should personally phone the company or colleague or go to their
desk / office and confirm the purpose of the email in question.
Business email compromise (BEC)
Their goal is to persuade you to complete a wire transfer – usually to an international bank.
These emails will try to entice you based on urgent language, and your relationship with the email sender.
Hackers will specifically target people conducting certain kinds of high-value transactions such as people working in
Payroll or Accounts Payable who conduct international wire transfers.
Hackers will send the email from a high-level executive’s email inbox, such as the CFO or CEO. Or they will
email from a look-alike company website domain that is one or two letters different from your actual company
domain.
You can try this quick email phishing simulation created by Google. They present you with 8 very realistic emails, and
you might be surprised by how sneaky these phishing emails can be. Good luck!
https://phishingquiz.withgoogle.com/
Google also has created an online game called Interland: Reality River, in which you have to answer certain questions
to cross and avoid the phishers.
https://beinternetawesome.withgoogle.com/en_us/interland/landing/reality-river
If you receive a shortened URL (in an email for instance), you can copy/paste the URL into this website and it will
show you the full-length website URL, so you see where it really points to.
https://unshorten.link/
Macro Malware
Put simply, macros are a type of programming code that are embedded inside Microsoft Office
.XLS/.DOC/.PPT files, that can perform certain functions to make your job much easier.
Having said that, macros are also great for hackers trying to deliver evil code to you, because they can be
executed with a single mouse-click inside Microsoft Office!
Because the vast majority of Microsoft Office files found on the Internet are malicious, if you receive a Microsoft
Office file from the Internet or an untrusted source, there is a very good chance it will contain a malicious macro.
When you’re at work, only enable macros inside files stored in trusted locations. If you know the file is from a
trustworthy source, and you want to edit, save, or print the file, you can exit Protected View for that one particular
file.
Messenger Apps and Smishing (SMS phishing)
SMS texts and Messenger apps are just as easy to use for social engineering as email. It’s just another vehicle for
hackers to spread their evil malware to you!
Being able to message people using various software and apps is so common these days:
• SMS
• iMessage
• WhatsApp
• Facebook Messenger
• Skype
• Viber
• Telegram
• LinkedIn
Most people access the Internet via their mobile phones now
• Most emails are opened first on a mobile device
• Due to the smaller screen space on mobile devices, it is harder to see where a presented link will actually
navigate to if clicked
• It is harder to see the real destination of hyperlinks in emails/messenger apps/SMS
• As a result, people are THREE TIMES more likely to click on a link in an SMS text/Messenger app from
a spoofed number, compared to on a computer
No government agency, bank, or legitimate business will ever request personal information via SMS text!
• Never click on any links in unsolicited texts/messages
• Also, never respond to them: Responding verifies that your phone number is active, and they might start
bombarding you with malicious messages now as a result
Vishing (Voice phishing)
Vishing Mitigation
NEVER TRUST YOUR CALLER ID ON YOUR PHONE.
Be prepared for vishers to have your name, address, phone number and last 4 of your Social Security Number
or credit card on hand (these may have been scraped from previous big company breaches).
Never give your personal info over the phone when you receive an unsolicited call.
Even if the caller ID looks good, tell them you will hang up and call them back. (But don’t call the number they
themselves are providing to you! That number cannot betrusted either). Look up the institution/business number
online and call that number instead
Finally, there are also certain apps (such as MalwareByes, Hiya, Robokiller, Truecaller, and SMS Shield), that check
incoming calls and texts against a big database filled with scammer numbers, and if they notice a match, the app
will block the call or SMS text from coming through.
Ransomware
The malware will usually drop onto your system via a malicious link, attachments, or by visiting ahacked benign
website. The malware will then encrypt ALL of your important files, making them inaccessible to you - we are
talking pictures, documents, pdfs, emails. All of it.
Finally, hackers will not decrypt your files unless you pay them a ransom amount, usually in cryptocurrency.
Important: If you do end up paying them, they usually come back and encrypt your files again, and ask for even
more money, as they know you’re susceptible to blackmail now.
Lately they have also started stealing your data out of your network, to ‘add insult to injury’, and they will threaten
to release all your sensitive data onto the Internet unless you pay up!
Ransomware hackers target networks that they know are willing to pay, because the network cannot afford to
be offline for days or weeks.
Ransomware Mitigation
• Install antivirus software (it should include Machine Learning and Behavioral Analytics)
• Make sure your operating systems and all your software are up to date with patches!
• Create two backup copies of all of your important and sensitive files:
o One can be local, the other in the Internet Cloud (One Drive, Drop Box, Google Drive etc.)
o Disconnect the local drive from your computer when you are finished backing up your data,
so as to prevent ransomware from reaching these files
CryptoJacking/CryptoMining
Cryptomining is the use of computing power to perform very difficult mathematical computations, and being
rewarded for that work afterwards with cryptocurrency.
Cryptojacking is a theft of your unused computing power to secretly perform that same work.
The hackers want to monetize your computer or mobile phone while it sits idle, instead of buying their own
hardware!
So cryptojacking is basically cryptomining, without your explicit permission, with your own computer.
CryptoJacking/CryptoMining Mitigation
The best defense against malicious cryptomining scripts is to use script and ad blockers in your browsers (this
is addressed in the Browser Security section).
If you use Google Chrome, the browser’s Task Manager will show, per tab, how much computing power is being
used, so you can determine the website that may have loaded a cryptominer onto your system. Use the Task
Manager to see which website tab is the one using all the CPU power, and close the browser to stop the
cryptomining script from running.
Stay vigilant for any signs your system may be running slowly after visiting a certain website, clicking on an ad,
opening a file, etc. (although there are certainly other reasons why your machine may slow down).
Search Engine Optimization
Keep in mind that a large number of benign websites are regularly hacked, malicious code is up-loaded onto
them, and then they appear in Google search results, as a way to get you to visit them.
As a result, one or more Google search results in the first few pages may be malicious for the followingsearches:
• Breaking news
• Natural event
• Celebrity death
• Political news
• “Free” music, software, screensavers, games etc.
• Popular trending topics
After clicking a link in the search results it is important to always verify that you have landed on the website domain
you expected. Double check the URL - Are there any weird characters, symbols? Verify that you are on the correct
domain before entering your login credentials.
Before typing in any personal data e.g. username and password, ensure that you have a secure connection between
your computer and the website. You will know this because the website address at the top left of the browser
window should begin with https (with an “s”)
Fake AntiVirus
Fake antivirus software tricks you into purchasing and installing malicious software, which will pose as genuine-
looking antivirus programs, but then grab your credit card information so they can “fix” your apparent virus
problem.
They may show you a persistent pop-up window, warning that your machine is seriously infected with viruses, and
offer to save you, by removing the viruses with their own software. But if you click anywhere in the pop-up window
to close the message, the link instead goes to a fake website and your computer becomes infected with real
malware.
The scammers may even call you by phone, and deceitfully inform you that your computer is showing “signs of
viruses.” They will then offer to “help” by directing you to a website to remove the viruses, but by following their
instructions, you are basically granting full remote-control access of your computer to them!
The good news is that most of these fake antivirus programs are usually non-destructive, meaning your
files are not at risk of being destroyed by the malware. Instead they will keep pushing you into paying
money to fix the made-up virus problem
Because your company manages your antivirus software for you while at work, if you ever receive a suspicious
message about viruses on your system, please contact your system administrator.
If you see these types of pop-ups at home, treat them with a high level of suspicion, and have your machine scanned
for malware (or wiped and rebuilt from scratch if you wish to be prudent).
Smartphones & Mobile Apps
Our smartphones, such as the Apple iPhone and the various flavors of Google Android, are extremely intimate
devices that allow you to view movies, browse, do online banking, take pictures and videos etc. So always keep
in mind that they are essentially mini computers.
And because they are so popular with all of us, they are major targets for hackers looking to steal our private data
and money.
APPLE iOS
If you have an iPhone today, you are, in general, more secure than on an Android. This is because:
• Apple controls all of its own hardware and software
o Apple centrally notifies and pushes all iOS/app updates to all iPhones. These devices upgrade as
soon as the latest versions come out. As a result, iPhone users are generally up to date.
• Apple has a closed app development environment, so it’s harder for anyone to create an app for iPhone
o Apple has a very strict vetting process around the apps in their App Store
• There is hardly any malware targeting the iPhone
o The iOS permissions are more restrictive, and also easier for you to understand. The app
will also ask for permissions as it needs the permission in real time, whichmeans you will
have a better understanding of why it’s asking
ANDROID
Android phones have incredible functionality, customization, and a more open development platform and App
Store than iPhones, which offers us many benefits. But as a result, they also have some insecurities of which you
must be aware:
• Google has little control over pushing software updates to non-Google devices
o So Google leaves it to third-party phone manufacturers to push Android updates to their
own customers
o Some phone manufacturers e.g. Samsung are now following Google’s lead, and
sending monthly updates to their phones. But many others either deliver them later
or don’t even do it at all.
• Android users can download and install an app from either the Google Play App Store, or from
any third-party Android app stores
o These third-party app stores have very little security checks if at all.
o They are many times open for anyone to upload any app of their choosing
o A recent ThreatPost article states that the Google Play Store is 9x Safer Than Third-
Party App Stores
If possible, remember any passphrases for email, and financial institution websites in your own head. And for all
the rest of the hundreds of website passwords one has to manage, it’s recommended to use password manager.
FRT has it’s own password manager called Credman. Anyone who wants to use it can request access for it by turning
to your system administrator.
Encryption
Before considering any encryption solutions, make sure you do not go outside of company policy and install
unauthorized encryption software.
• All web sites and traffic, slowly but surely, are becoming encrypted on the Internet;
• 75% of the web is now HTTPS encrypted;
• Make sure to encrypt any emails that contain sensitive client/customer data, or personal data such
as Social Security numbers.
Social Media Scams
Because of all our connections with friends and family, as well as our ability to share new photos, links,
comments and stories with them, social networks are a very effective way of spreading malware.
And because there are over a billion people on social media websites, hackers and scammers go to where people
congregate.
Thus, because of this inherent trust you have with your social media friends, hackers and scammers will use
social engineering to trick you into viewing pictures and videos, and visiting links that will bring malware to your
systems (because you are more inclined to click on something that has been “shared”).
As a result, please make a habit of only following current news and events on reputable news sites, and avoid
reading news on social networking sites such as Facebook, unless the article is from a reputable news source as
well.
• Stop, and pause, when a friend sends a message, or writes on your “wall” with a catchy subject line,
to persuade you to click on the link, such as:
o OMG!
o WOW!
o YOU MUST SEE THIS!
o HEY, CHECK THIS OUT!
• Be extremely careful which social media groups and profiles you follow. Although
Facebook/Instagram/Twitter are deleting millions of fake accounts on a daily basis, new ones are still
created to share false or malicious content
• Be very suspicious if a message prompts you to update a program e.g. video codec, in order to view
content
• Be very suspicious if a message asks you to grant a third-party app access to your profile
• Think twice before accepting friend requests from people you don’t know. There are millions of bogus
social media accounts created every day, with fake profilepictures, which are being used to social engineer
people
Business Travel
First and foremost, always ask your system administrator to install any software needed to work securely whilst
traveling.
• Encrypt any sensitive data you have on your laptop with the help of your system administrator
• Ensure your phone/tablet is password protected
o Turn off all biometrics logins (authentication using parts of your body) when traveling, as
customs officers in foreign countries may unlock your phone using your face or fingerprint
• When traveling, only carry what you need remotely to do your assigned work
o As a rule, “don’t bring what you don’t need”
o If you have to travel with stored data, make sure its encrypted or backed up
• Do not connect to a public Wi-Fi, unless you’re using a VPN client:
o Especially for company work, banking, or e-commerce websites
o Only connect to well-known Wi-Fi networks
o Always check the network names to make sure there are no extra characters or typos
▪ Pro tip: Tether your laptop to your mobile phone’s hotspot. This bypasses open WiFi
connections, and instead uses your mobile cell serviceto connect to the Internet
o Also switch off your Wi-Fi and Bluetooth connections when not in use
Cyber security incident escalation procedure
In cases when you think that accidentally or intentionally clicked on a link, opened a website, downloaded
a file that look suspicions and might contain malware, this must immediately be escalated to your line
manager and more importantly any of the system administrators.
If you feel that your PC/laptop might have been infected, try to avoid using it.
• If you are in the office, go to your line manager and then to the available system administrator
and explain what happened.
• If there isn’t any available system administrator, speak with the CTO, or ask your line manager to
speak to him.
• If your line manager is working from home, ask someone from your team to write to them.
• If your line manager is on holiday, turn to someone else senior from your team or to the manager
of your line manager.
• If you are working from home, pick up the phone and call your line manager directly via mobile
operator (not Teams).
The system administrator should take care of your machine while the line manager should make sure to
communicate to everyone in the team and to partners/clients (depending on employee’s role) that this
person’s machine might have been infected and not to open or download anything received from her/him
nor replying to any of their messages.
System administrators should keep a record of all cyber security incidents in a log.